debian/0000775000000000000000000000000013151371122007164 5ustar debian/compat0000664000000000000000000000000212040544417010367 0ustar 8 debian/source/0000775000000000000000000000000012040544417010471 5ustar debian/source/format0000664000000000000000000000001412040544417011677 0ustar 3.0 (quilt) debian/README.Debian0000664000000000000000000001011412040544417011227 0ustar 1/ Licenses, and embedded libraries that were removed ----------------------------------------------------- eXtplorer had many embedded libraries, so I have worked with the upstream author to remove, and/or package them all separately. This version of the source package have the following embedded libraries removed: - editarea - extjs3 - yui - SWFUpload (swf binary file only, the rest of is still in the upstream tarball in Debian main). The above may be found in upstream scripts.tar.gz (which is shipped already extracted in this Debian package). plus some PHP pear packages in the "libraries" folder: - php/System - php-service-json - php-geshi - php/Net/FTP - php/Archive/Tar - php/Console - php/Auth/Auth.php - php/Auth/HTTP - php/MIME These php library are packaged separately in Debian (some of the packages are maintained by the maintainer of this package, some were already present in the Debian archives). The files libraries/inputfilter.php, libraries/lib_zip.php, include/* and many others are forks of other projects, so I had to leave the modified versions in. See the copyright file for the list and more details about their respective licenses. If I have missed some libraries that should be packaged separately (which I don't think happened, as I have read all file headers), let me know, and I will separate them from the binary packages. Also, as I wanted to address the potential wrong unix access right issue, and because some symlinks had to be created to replace the removed library files, I have created a Makefile that does the installation of all the PHP scripts in $(DESTDIR), to ease my maintainer work. As all the source code of separate libraries was creating an unnecessary mess in my debian/copyright file, I have decided to create a +dfsg orig.tar.gz. I don't think it's a good idea as well to have upstream's embedded code in the orig.tar.gz, as it can get outdated anyway. To remove all these libraries, and rebuild a new updated orig.tar.gz, you can run the very trivial maintainer script debian/create_dfsg_from_upstream. 2/ Setting-up ------------- Once the extplorer Debian package is installed, you need to add an Alias directive to your web server configuration. Under Apache, it's done this way: Alias /extplorer /usr/share/extplorer Once you have the extplorer package installed in your server, you need to initialise the password authentication system. As I found having admin/admin by default quite insecure, I have moved away the /etc/extplorer/.htusers.php. If you want, you can do: cat /usr/share/doc/extplorer/example.dot.htusers.php >/etc/extplorer/.htusers.php Then login into eXtplorer's interface. For most it will be through an URL like this one: http://1.2.3.4/extplorer/ Then login as admin / admin. You will then be prompted to change this default password. 3/ SWFUpload removal -------------------- As the original tarball included a SWF binary, and that I know absolutely nothing about Flash action scripts, I have for the moment remove the swfupload.swf file from the upstream tarball (otherwise, this is a serious violation of the Debian policy, which forces everyone to build from source, and to not just include binaries, which is a very good thing that forces people to make sure any software in the Debian archive can be modified). So, of course, the final result is that upload will NOT work in extplorer, unless you manually add this file in the following path: /usr/share/extplorer/scripts/extjs3-ext/ux.swfupload/swfupload.swf This file can be found at: http://code.google.com/p/swfupload/ If you don't manually add the swfupload.swf file, then everything else will continue to work, only upload will be broken, which may not be an issue if you have a server that does scp / ftp. It's still nicer to add it in your server if you can. Volunteers to package the Adobe swf build tools in Debian would be of course warmly welcome (according to pabs, these are under the MPL, which makes it a valid candidate for main). That would be the only way, as the swf upload library is using action script 3, which doesn't build with mtasc. The maintainer, Thomas Goirand debian/control0000664000000000000000000000273312040544417010601 0ustar Source: extplorer Section: web Priority: optional Maintainer: Thomas Goirand Build-Depends: debhelper (>= 8) Standards-Version: 3.9.3 Vcs-Browser: http://git.debian.org/?p=users/zigo/extplorer.git Vcs-Git: http://git.debian.org/git/users/zigo/extplorer.git Homepage: http://extplorer.sourceforge.net/ Package: extplorer Architecture: all Depends: ${misc:Depends}, libapache2-mod-php5 | php5-cgi, libjs-edit-area, libjs-extjs, libjs-yui, php-pear, php-net-ftp, php-auth-http, php-auth, php-geshi, php-compat, php-mail-mime, php-mail-mimedecode, php-http-webdav-server, php-services-json, php-mime-type Description: web file explorer and manager using Ext JS a web-based File Manager. You can use it to: * browse directories & files on the server and * edit, copy, move, delete files, * search, upload and download files, * create and extract archives, * create new files and directories, * change file permissions (chmod) and much more... . You can even use eXtplorer to login to the FTP server (like net2ftp) and work as if you were using an FTP client. Access via WebDAV is also possible (requires some extra work and a database!). . eXtplorer is released under a dual-license: You can choose wether you want to use eXtplorer under the Mozilla Public License (MPL 1.1) or under the GNU General Public License (GNU/GPL). Note that if you decide to distribute/use eXtplorer under the MPL, you are not allowed to use the ExtJS Javascript library. debian/watch0000664000000000000000000000012512040544417010220 0ustar version=3 opts=dversionmangle=s/+dfsg// \ http://sf.net/extplorer/eXtplorer_(.*).zip debian/patches/0000775000000000000000000000000013144056026010620 5ustar debian/patches/CVE-2015-0896.patch0000664000000000000000000000247512667547763013305 0ustar Index: extplorer-2.1.0b6+dfsg.2/include/edit.php =================================================================== --- extplorer-2.1.0b6+dfsg.2.orig/include/edit.php 2015-08-20 16:04:53.000000000 +0200 +++ extplorer-2.1.0b6+dfsg.2/include/edit.php 2015-08-20 16:15:08.000000000 +0200 @@ -184,7 +184,7 @@ "labelWidth": "300", "autoScroll": "true", "url":"", - "title": " 50 ? substr( $s_item, strlen($s_item)-30, 30 ) : $s_item; ?>", + "title": " 50 ? substr( htmlentities($s_item,ENT_QUOTES), strlen($s_item)-30, 30 ) : htmlentities($s_item,ENT_QUOTES); ?>", "frame": "true", "closable": "true", "tbar": [{ @@ -256,7 +256,7 @@ }], "items": [{ "xtype": "displayfield", - "value": "" + "value": "" }, { "xtype": "textarea", @@ -285,7 +285,7 @@ "xtype": "textfield", "fieldLabel": "", "name": "fname", - "value": "", + "value": "", "clear": "true" } debian/patches/fixes-Cross-Site-Request-Forgery-vulnerability.patch0000664000000000000000000000375012040544417022705 0ustar Description: fixes Cross Site Request Forgery vulnerability Author: Thomas Goirand Bug-Debian: http://bugs.debian.org/678737 Origin: upstream Forwarded: not-needed --- extplorer-2.1.0b6+dfsg.3.orig/fetchscript.php +++ extplorer-2.1.0b6+dfsg.3/fetchscript.php @@ -208,7 +208,7 @@ http_conditionalRequest( $newest_mdate ) // here we need to send the script or stylesheet $processed_files = 0; for( $i = 0; $i < $countFiles; $i++ ) { - $file = addslashes($files[$i]);// fix by colonelxc + $file = $files[$i]; $subdir = $subdirs[$i]; $dir = realpath( $base_dir . '/' . $subdir ); --- extplorer-2.1.0b6+dfsg.3.orig/include/header.php +++ extplorer-2.1.0b6+dfsg.3/include/header.php @@ -33,9 +33,8 @@ if( !defined( '_JEXEC' ) && !defined( '_ * This is the file, which prints the header row with the Logo */ function show_header($dirlinks='') { - $url = htmlentities(str_replace( array('&dir=', '&action=', '&file_mode='), - array('&a=','&b=','&c='), - $_SERVER['REQUEST_URI'] ), ENT_QUOTES ); + $url = str_replace( '&dir=', '&ignore=', $_SERVER['REQUEST_URI'] ); + $url = str_replace('&file_mode=', '', $url ); $url_appendix = strpos($url, '?') === false ? '?' : '&'; @@ -56,7 +55,7 @@ function show_header($dirlinks='') { } echo ''; if( is_object( $GLOBALS['_VERSION'] ) || class_exists( 'jversion')) { - echo 'Back to '.( !empty($GLOBALS['_VERSION']->PRODUCT) ? @$GLOBALS['_VERSION']->PRODUCT : 'Joomla!' ).''; + echo "Back to ".( !empty($GLOBALS['_VERSION']->PRODUCT) ? @$GLOBALS['_VERSION']->PRODUCT : 'Joomla!' ).''; } else { echo ext_selectList('language_selector', $GLOBALS['language'], get_languages(), 1, '', 'onchange="document.location.href=\''.$GLOBALS['script_name'].'?lang=\' + this.options[this.selectedIndex].value;"'); debian/patches/CVE-2015-5660.patch0000664000000000000000000003662512716042171013255 0ustar Index: extplorer-2.1.0b6+dfsg.3/include/admin.php =================================================================== --- extplorer-2.1.0b6+dfsg.3.orig/include/admin.php 2011-03-20 07:20:00.000000000 +0100 +++ extplorer-2.1.0b6+dfsg.3/include/admin.php 2016-05-15 11:33:12.000000000 +0200 @@ -120,7 +120,8 @@ "params": { option: "com_extplorer", "action": "admin", - "action2": "chpwd" + "action2": "chpwd", + "token": "" } }) } @@ -170,7 +171,8 @@ "text": "", "handler": function() { Ext.Ajax.request( { url: "", - "params": { "option": "com_extplorer","action": "admin","action2": "adduser" }, + "params": { "option": "com_extplorer","action": "admin","action2": "adduser","token": "" + }, "callback": function(oElement, bSuccess, oResponse) { if( !bSuccess ) { Ext.Msg.alert( "Ajax communication failure!"); @@ -204,7 +206,8 @@ return; } Ext.Ajax.request( { url: "", - "params": { option: "com_extplorer","action": "admin","action2": "edituser","nuser":theUser }, + "params": { option: "com_extplorer","action": "admin","action2": "edituser","nuser":theUser,"token": "" + }, "callback": function(oElement, bSuccess, oResponse) { if( !bSuccess ) { Ext.Msg.alert( "Ajax communication failure!"); @@ -257,6 +260,7 @@ "action": "admin", "action2": "rmuser", "user": theUser + "token": "" } }); }); @@ -274,6 +278,10 @@ } //------------------------------------------------------------------------------ function changepwd($dir) { // Change Password + // CSRF Security Check + if( !ext_checkToken($GLOBALS['__POST']["token"]) ) { + ext_Result::sendResult('tokencheck', false, 'Request failed: Security Token not valid.'); + } $pwd=extEncodePassword(stripslashes($GLOBALS['__POST']["oldpwd"])); if($GLOBALS['__POST']["newpwd1"]!=$GLOBALS['__POST']["newpwd2"]) { ext_Result::sendResult('changepwd', false, $GLOBALS["error_msg"]["miscnopassmatch"]); @@ -296,7 +304,7 @@ } //------------------------------------------------------------------------------ function adduser($dir) { // Add User - if(isset($GLOBALS['__POST']["confirm"]) && $GLOBALS['__POST']["confirm"]=="true") { + if(isset($GLOBALS['__POST']["confirm"]) && $GLOBALS['__POST']["confirm"]=="true" && ext_checkToken($GLOBALS['__POST']["token"]) ) { $user=stripslashes($GLOBALS['__POST']["nuser"]); if($user=="" || $GLOBALS['__POST']["home_dir"]=="") { ext_Result::sendResult('adduser', false, $GLOBALS["error_msg"]["miscfieldmissed"]); @@ -328,6 +336,11 @@ function edituser($dir) { // Edit User $user=stripslashes($GLOBALS['__POST']["nuser"]); $data=find_user($user,NULL); + // CSRF Security Check + if( !ext_checkToken($GLOBALS['__POST']["token"]) ) { + ext_Result::sendResult('tokencheck', false, 'Request failed: Security Token not valid.'); + } + if($data==NULL) { ext_Result::sendResult('edituser', false, $user.": ".$GLOBALS["error_msg"]["miscnofinduser"]); } @@ -522,7 +535,8 @@ user: "", "action": 'admin', "action2": "", - "confirm": "true" + "confirm": "true", + "token": "" } }) } @@ -536,6 +550,11 @@ //------------------------------------------------------------------------------ function removeuser($dir) { // Remove User $user=stripslashes($GLOBALS['__POST']["user"]); + // CSRF Security Check + if( !ext_checkToken($GLOBALS['__POST']["token"]) ) { + ext_Result::sendResult('tokencheck', false, 'Request failed: Security Token not valid.'); + } + if($user==$GLOBALS['__SESSION']['credentials_extplorer']['username']) { ext_Result::sendResult('removeuser', false, $GLOBALS["error_msg"]["miscselfremove"]); } Index: extplorer-2.1.0b6+dfsg.3/include/archive.php =================================================================== --- extplorer-2.1.0b6+dfsg.3.orig/include/archive.php 2011-03-20 07:20:00.000000000 +0100 +++ extplorer-2.1.0b6+dfsg.3/include/archive.php 2016-05-14 19:55:11.000000000 +0200 @@ -46,6 +46,12 @@ if(!$GLOBALS["zip"] && !$GLOBALS["tgz"]) { ext_Result::sendResult('archive', false, $GLOBALS["error_msg"]["miscnofunc"]); } + + // CSRF Security Check + if( !ext_checkToken($GLOBALS['__POST']["token"]) ) { + ext_Result::sendResult('tokencheck', false, 'Request failed: Security Token not valid.'); + } + $allowed_types = array( 'zip', 'tgz', 'tbz', 'tar' ); @@ -258,4 +264,4 @@ } } //------------------------------------------------------------------------------ -?> \ No newline at end of file +?> Index: extplorer-2.1.0b6+dfsg.3/include/edit.php =================================================================== --- extplorer-2.1.0b6+dfsg.3.orig/include/edit.php 2016-05-14 19:51:15.000000000 +0200 +++ extplorer-2.1.0b6+dfsg.3/include/edit.php 2016-05-14 20:03:14.000000000 +0200 @@ -71,6 +71,10 @@ if(!get_show_item($dir, $item)) { ext_Result::sendResult('edit', false, $item.": ".ext_Lang::err('accessfile' )); } + // CSRF Security Check + if( !ext_checkToken($GLOBALS['__POST']["token"]) ) { + ext_Result::sendResult('tokencheck', false, 'Request failed: Security Token not valid.'); + } if(isset($GLOBALS['__POST']["dosave"]) && $GLOBALS['__POST']["dosave"]=="yes") { // Save / Save As @@ -210,7 +214,8 @@ code: editAreaLoader.getValue("ext_codefield"), dir: '', item: '', - dosave: 'yes' + dosave: 'yes', + token: "" } }); }, @@ -239,7 +244,8 @@ action: 'edit', dir: '', item: '', - doreopen: 'yes' + doreopen: 'yes', + token: "" } }); }, Index: extplorer-2.1.0b6+dfsg.3/include/mkitem.php =================================================================== --- extplorer-2.1.0b6+dfsg.3.orig/include/mkitem.php 2011-03-20 07:20:00.000000000 +0100 +++ extplorer-2.1.0b6+dfsg.3/include/mkitem.php 2016-05-14 20:04:29.000000000 +0200 @@ -39,8 +39,17 @@ function execAction($dir) { // make new directory or file if(($GLOBALS["permissions"]&01)!=01) ext_Result::sendResult( 'mkitem', false, $GLOBALS["error_msg"]["accessfunc"]); + // CSRF Security Check + if( !ext_checkToken($GLOBALS['__POST']["token"]) ) { + ext_Result::sendResult('tokencheck', false, 'Request failed: Security Token not valid.'); + } + if( extGetParam($_POST,'confirm') == 'true') { + // CSRF Security Check + if( !ext_checkToken($GLOBALS['__POST']["token"]) ) { + ext_Result::sendResult('tokencheck', false, 'Request failed: Security Token not valid.'); + } $mkname=$GLOBALS['__POST']["mkname"]; $mktype=$GLOBALS['__POST']["mktype"]; $symlink_target = $GLOBALS['__POST']['symlink_target']; Index: extplorer-2.1.0b6+dfsg.3/include/transfer.php =================================================================== --- extplorer-2.1.0b6+dfsg.3.orig/include/transfer.php 2011-03-20 07:20:00.000000000 +0100 +++ extplorer-2.1.0b6+dfsg.3/include/transfer.php 2016-05-14 19:57:56.000000000 +0200 @@ -51,6 +51,11 @@ //DEBUG ext_Result::sendResult('transfer', false, $dir ); // Execute if(isset($GLOBALS['__POST']["confirm"]) && $GLOBALS['__POST']["confirm"]=="true") { + // CSRF Security Check + if( !ext_checkToken($GLOBALS['__POST']["token"]) ) { + ext_Result::sendResult('tokencheck', false, 'Request failed: Security Token not valid.'); + } + $cnt=count($GLOBALS['__POST']['userfile']); $err=false; @@ -424,4 +429,4 @@ return false; } -?> \ No newline at end of file +?> Index: extplorer-2.1.0b6+dfsg.3/include/upload.php =================================================================== --- extplorer-2.1.0b6+dfsg.3.orig/include/upload.php 2011-03-20 07:20:00.000000000 +0100 +++ extplorer-2.1.0b6+dfsg.3/include/upload.php 2016-05-14 19:59:58.000000000 +0200 @@ -44,6 +44,11 @@ // Execute if(isset($GLOBALS['__POST']["confirm"]) && $GLOBALS['__POST']["confirm"]=="true") { + // CSRF Security Check + if( !ext_checkToken($GLOBALS['__POST']["token"]) ) { + ext_Result::sendResult('tokencheck', false, 'Request failed: Security Token not valid.'); + } + if( isset($GLOBALS['__FILES']['Filedata'])) { // Re-Map the flash-uploaded file with the name "Filedata" to the "userfile" array @@ -162,7 +167,8 @@ "action": "upload", "dir": datastore.directory, "requestType": "xmlhttprequest", - "confirm": "true" + "confirm": "true", + "token": "" }, " } }); } @@ -313,4 +320,4 @@ } } -?> \ No newline at end of file +?> Index: extplorer-2.1.0b6+dfsg.3/include/chmod.php =================================================================== --- extplorer-2.1.0b6+dfsg.3.orig/include/chmod.php 2011-03-20 07:20:00.000000000 +0100 +++ extplorer-2.1.0b6+dfsg.3/include/chmod.php 2016-05-15 11:34:14.000000000 +0200 @@ -41,6 +41,10 @@ function execAction($dir, $item) { // change permissions if(($GLOBALS["permissions"]&01)!=01) ext_Result::sendResult( 'chmod', false, $GLOBALS["error_msg"]["accessfunc"]); + // CSRF Security Check + if( !ext_checkToken($GLOBALS['__POST']["token"]) ) { + ext_Result::sendResult('tokencheck', false, 'Request failed: Security Token not valid.'); + } if( !empty($GLOBALS['__POST']["selitems"])) { $cnt=count($GLOBALS['__POST']["selitems"]); @@ -224,4 +228,4 @@ } } //------------------------------------------------------------------------------ -?> \ No newline at end of file +?> Index: extplorer-2.1.0b6+dfsg.3/include/copy_move.php =================================================================== --- extplorer-2.1.0b6+dfsg.3.orig/include/copy_move.php 2011-03-20 07:20:00.000000000 +0100 +++ extplorer-2.1.0b6+dfsg.3/include/copy_move.php 2016-05-15 11:35:41.000000000 +0200 @@ -41,6 +41,10 @@ if(($GLOBALS["permissions"]&01)!=01){ ext_Result::sendResult( $action, false, $GLOBALS["error_msg"]["accessfunc"]); } + // CSRF Security Check + if( !ext_checkToken($GLOBALS['__POST']["token"]) ) { + ext_Result::sendResult('tokencheck', false, 'Request failed: Security Token not valid.'); + } // Vars $first = extGetParam($GLOBALS['__POST'], 'first' ); @@ -203,4 +207,4 @@ } \ No newline at end of file +?> Index: extplorer-2.1.0b6+dfsg.3/include/delete.php =================================================================== --- extplorer-2.1.0b6+dfsg.3.orig/include/delete.php 2011-03-20 07:20:00.000000000 +0100 +++ extplorer-2.1.0b6+dfsg.3/include/delete.php 2016-05-15 11:36:35.000000000 +0200 @@ -44,6 +44,10 @@ // delete files/dirs if(($GLOBALS["permissions"]&01)!=01) ext_Result::sendResult('delete', false, $GLOBALS["error_msg"]["accessfunc"]); + // CSRF Security Check + if( !ext_checkToken($GLOBALS['__POST']["token"]) ) { + ext_Result::sendResult('tokencheck', false, 'Request failed: Security Token not valid.'); + } $cnt = count($GLOBALS['__POST']["selitems"]); $err = false; Index: extplorer-2.1.0b6+dfsg.3/include/extract.php =================================================================== --- extplorer-2.1.0b6+dfsg.3.orig/include/extract.php 2011-03-20 07:20:00.000000000 +0100 +++ extplorer-2.1.0b6+dfsg.3/include/extract.php 2016-05-15 11:40:26.000000000 +0200 @@ -44,6 +44,10 @@ if( ! ext_isArchive( $item ) ) { ext_Result::sendResult( 'archive', false, ext_Lang::err( 'extract_noarchive' ) ) ; } else { + // CSRF Security Check + if( !ext_checkToken($GLOBALS['__POST']["token"]) ) { + ext_Result::sendResult('tokencheck', false, 'Request failed: Security Token not valid.'); + } $archive_name = realpath( get_abs_item( $dir, $item ) ) ; @@ -69,4 +73,4 @@ } } } -?> \ No newline at end of file +?> Index: extplorer-2.1.0b6+dfsg.3/include/functions.php =================================================================== --- extplorer-2.1.0b6+dfsg.3.orig/include/functions.php 2016-05-14 19:51:15.000000000 +0200 +++ extplorer-2.1.0b6+dfsg.3/include/functions.php 2016-05-15 11:38:39.000000000 +0200 @@ -1358,4 +1358,13 @@ function get_session_id( $id=null ) { return extMakePassword( 32 ); } -?> \ No newline at end of file + +function ext_getToken() { + return md5(session_id()); +} + +function ext_checkToken($token) { + return md5(session_id()) == $token; +} + +?> Index: extplorer-2.1.0b6+dfsg.3/include/rename.php =================================================================== --- extplorer-2.1.0b6+dfsg.3.orig/include/rename.php 2011-03-20 07:20:00.000000000 +0100 +++ extplorer-2.1.0b6+dfsg.3/include/rename.php 2016-05-15 11:37:24.000000000 +0200 @@ -44,6 +44,10 @@ } if(isset($GLOBALS['__POST']["confirm"]) && $GLOBALS['__POST']["confirm"]=="true") { + // CSRF Security Check + if( !ext_checkToken($GLOBALS['__POST']["token"]) ) { + ext_Result::sendResult('tokencheck', false, 'Request failed: Security Token not valid.'); + } $newitemname=$GLOBALS['__POST']["newitemname"]; $newitemname=trim(basename(stripslashes($newitemname))); @@ -159,4 +163,4 @@ } } -?> \ No newline at end of file +?> Index: extplorer-2.1.0b6+dfsg.3/scripts/functions.js.php =================================================================== --- extplorer-2.1.0b6+dfsg.3.orig/scripts/functions.js.php 2011-03-20 07:20:00.000000000 +0100 +++ extplorer-2.1.0b6+dfsg.3/scripts/functions.js.php 2016-05-15 11:42:12.000000000 +0200 @@ -390,7 +390,8 @@ option: 'com_extplorer', dir: dir, item: selitems.length > 0 ? selitems[0]:'', - 'selitems[]': selitems + 'selitems[]': selitems, + token: "" }; return requestParams; } @@ -599,4 +600,4 @@ if( posArray[1] ) { Ext.fly( 'txtColumn' ).set( { value: posArray[1] } ); } -} \ No newline at end of file +} debian/patches/upstream-fix-for-multiple-vulnerabilities-including-auth.patch0000664000000000000000000001277012225304072025015 0ustar Description: Fixes XSS, view files and authentication bypass Vikas Singhal of Trustwave SpiderLabs has found multiple vulnerabilities on the eXtplorer softare: - a path traversal vulnerability was found in the "edit" functionality of eXtplorer. This vulnerability may allow an attacker to view files outside the website's root directory. - Reflected Cross Site Scripting (XSS) vulnerability in multiple places of eXtpolrer. Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. - an authentication bypass vulnerability in eXtplorer that allows unauthenticated users to login as an eXtplorer user. Origin: upstream Author: Soeren Eberhardt Date: 2013-10-04 diff -u -r a/fetchscript.php b/fetchscript.php --- a/fetchscript.php 2011-10-30 11:43:12.000000000 +0100 +++ b/fetchscript.php 2011-06-14 09:59:53.000000000 +0200 @@ -208,7 +208,7 @@ // here we need to send the script or stylesheet $processed_files = 0; for( $i = 0; $i < $countFiles; $i++ ) { - $file = $files[$i]; + $file = addslashes($files[$i]);// fix by colonelxc $subdir = $subdirs[$i]; $dir = realpath( $base_dir . '/' . $subdir ); diff -u -r a/include/functions.php b/include/functions.php --- a/include/functions.php 2011-10-30 11:43:12.000000000 +0100 +++ b/include/functions.php 2013-09-10 22:06:47.451364071 +0200 @@ -91,7 +91,7 @@ if( get_is_dir($item)) $abs_item.='/'; return extPathName($abs_item); } - return extPathName( get_abs_dir($dir)."/".$item ); + return extPathName( get_abs_dir($dir)."/".basename($item) ); } /** * Returns the LS info array from an ftp directory listing diff -u -r a/include/header.php b/include/header.php --- a/include/header.php 2011-10-30 11:43:12.000000000 +0100 +++ b/include/header.php 2013-09-10 22:09:14.740966370 +0200 @@ -33,10 +33,26 @@ * This is the file, which prints the header row with the Logo */ function show_header($dirlinks='') { - $url = str_replace( '&dir=', '&ignore=', $_SERVER['REQUEST_URI'] ); - $url = str_replace('&file_mode=', '', $url ); - - $url_appendix = strpos($url, '?') === false ? '?' : '&'; + $url = htmlentities(str_replace( array('&dir=', '&action=', '&file_mode='), + array('&a=','&b=','&c='), + $_SERVER['REQUEST_URI'] ), ENT_QUOTES ); + $urlArr = parse_url( $url ); + $url_appendix = ''; + if( !empty( $urlArr['query'])) { + $queryParts = explode('&', $urlArr['query']); + $params = array(); + foreach ($queryParts as $param) { + $item = explode('=', $param); + $params[urlencode(urldecode($item[0]))] = urlencode(urldecode($item[1])); + } + $query = ''; + foreach( $params as $key => $val ) { + $query .= $key .'='. $val.'&'; + } + $url = $urlArr['path'].'?'.$query; + } else { + $url_appendix = '?'; + } echo "\n"; echo "
\n"; @@ -55,7 +71,7 @@ } echo ''; if( is_object( $GLOBALS['_VERSION'] ) || class_exists( 'jversion')) { - echo "Back to ".( !empty($GLOBALS['_VERSION']->PRODUCT) ? @$GLOBALS['_VERSION']->PRODUCT : 'Joomla!' ).''; + echo 'Back to '.( !empty($GLOBALS['_VERSION']->PRODUCT) ? @$GLOBALS['_VERSION']->PRODUCT : 'Joomla!' ).''; } else { echo ext_selectList('language_selector', $GLOBALS['language'], get_languages(), 1, '', 'onchange="document.location.href=\''.$GLOBALS['script_name'].'?lang=\' + this.options[this.selectedIndex].value;"'); @@ -64,7 +80,7 @@ echo ""; //echo "
"; echo " - \"eXtplorer + \"eXtplorer "; //echo "
"; echo "\n"; diff -u -r a/include/login.php b/include/login.php --- a/include/login.php 2011-10-30 11:43:12.000000000 +0100 +++ b/include/login.php 2013-09-10 22:12:14.923005609 +0200 @@ -72,7 +72,7 @@ if( !empty($GLOBALS['__POST']['username'])) { $username = $GLOBALS['__POST']['username']; - $password = $GLOBALS['__POST']['password']; + $password = (string)$GLOBALS['__POST']['password']; if( $authentication_type == 'extplorer') $password = extEncodePassword($password); } else { $username = $_SESSION['credentials_'.$authentication_type]['username']; diff -u -r a/include/users.php b/include/users.php --- a/include/users.php 2011-10-30 11:43:12.000000000 +0100 +++ b/include/users.php 2013-09-10 22:12:46.782926889 +0200 @@ -68,7 +68,7 @@ $cnt=count($GLOBALS["users"]); for($i=0;$i<$cnt;++$i) { if($user==$GLOBALS["users"][$i][0]) { - if($pass==NULL || ($pass==$GLOBALS["users"][$i][1] && + if($pass===NULL || ($pass==$GLOBALS["users"][$i][1] && $GLOBALS["users"][$i][7])) { return $GLOBALS["users"][$i]; debian/patches/series0000664000000000000000000000037713144056026012044 0ustar adds-a-makefile.patch upstream-fix-for-XSR-problem.patch fixes-Cross-Site-Request-Forgery-vulnerability.patch upstream-fix-for-multiple-vulnerabilities-including-auth.patch CVE-2015-0896.patch CVE-2015-5660.patch CVE-2016-4313.patch CVE-2017-12756.patch debian/patches/CVE-2017-12756.patch0000664000000000000000000000246413144056026013335 0ustar Index: extplorer-2.1.0b6+dfsg.3/include/transfer.php =================================================================== --- extplorer-2.1.0b6+dfsg.3.orig/include/transfer.php 2017-08-21 14:25:33.068054729 +0200 +++ extplorer-2.1.0b6+dfsg.3/include/transfer.php 2017-08-21 14:25:33.056054186 +0200 @@ -67,8 +67,21 @@ } // upload files & check for errors for($i=0;$i<$cnt;$i++) { + if( empty($GLOBALS['__POST']['userfile'][$i])) continue; $errors[$i]=NULL; + $data = array( + 'url' => $GLOBALS['__POST']['userfile'][$i] + ); + + $validated = InputFilter::is_valid($data, array( + 'url' => 'required|valid_url' + )); + + if($validated !== true) { + $errors[$i]=$GLOBALS['__POST']['userfile'][$i].' is not a valid URL!'; + $err=true; continue; + } $items[$i] = stripslashes(basename($GLOBALS['__POST']['userfile'][$i])); $abs = get_abs_item($dir,$items[$i]); @@ -129,6 +142,7 @@ $status = 0; $output = array(); $wget = getBinaryPath('wget'); + $url = escapeshellcmd( $url ); exec("$wget -O$outputFile $url ", $output, $status); if ($status) { $msg = 'exec returned an error status '; debian/patches/adds-a-makefile.patch0000664000000000000000000001415612040544417014554 0ustar Description: Adds a Makefile to install extplorer Author: Thomas Goirand Forwarded: not-needed --- /dev/null 2011-09-08 22:30:15.796479636 +0000 +++ extplorer/Makefile 2011-10-20 13:15:21.000000000 +0000 @@ -0,0 +1,144 @@ +# Customized for all packages +APP_NAME=extplorer + +# List files to install +WEB_FILES=admin.extplorer.php configuration.ext.php extplorer.list.php fetchscript.php install.extplorer.php webdav.php \ +application.php extplorer.init.php extplorer.php index.php webdav_authenticate.php webdav_table.sql.php \ +extplorer.j15.xml extplorer.xml eXtplorer.ico \ +libraries/standalone.php libraries/lib_zip.php libraries/index.html libraries/SSH2.php \ +libraries/Archive/archive.php libraries/Archive/file.php libraries/Archive/folder.php libraries/Archive/index.html libraries/Archive/path.php \ +libraries/Archive/adapter/index.html libraries/Archive/adapter/zip.php \ +libraries/File_Operations.php libraries/inputfilter.php \ +scripts/application.js.php scripts/functions.js.php scripts/index.html scripts/archive.js.php + +EXTJS3_EXT=scripts/extjs3-ext/ux.editareaadapater/ext-editarea-adapter.js \ +scripts/extjs3-ext/ux.fileuploadfield/ext-fileUploadField.js \ +scripts/extjs3-ext/ux.locationbar/btn-arrow.gif \ +scripts/extjs3-ext/ux.locationbar/Ext.ux.LocationBar.js \ +scripts/extjs3-ext/ux.locationbar/location_back.png \ +scripts/extjs3-ext/ux.locationbar/Locationbar-component.html \ +scripts/extjs3-ext/ux.locationbar/LocationBar.css \ +scripts/extjs3-ext/ux.locationbar/Locationbar-render.html \ +scripts/extjs3-ext/ux.locationbar/location_folder.png \ +scripts/extjs3-ext/ux.locationbar/location_forward.png \ +scripts/extjs3-ext/ux.locationbar/location_reload.png \ +scripts/extjs3-ext/ux.locationbar/tb-btn-sprite.gif \ +scripts/extjs3-ext/ux.ondemandload/scriptloader.js \ +scripts/extjs3-ext/ux.statusbar/ext-statusbar.js \ +scripts/extjs3-ext/ux.swfupload/add.png \ +scripts/extjs3-ext/ux.swfupload/arrow_up.png \ +scripts/extjs3-ext/ux.swfupload/cancel.png \ +scripts/extjs3-ext/ux.swfupload/delete.png \ +scripts/extjs3-ext/ux.swfupload/SwfUpload.js \ +scripts/extjs3-ext/ux.swfupload/SwfUploadPanel.css \ +scripts/extjs3-ext/ux.swfupload/SwfUploadPanel.js + +CONF_FILES=conf.php index.html mimes.php + +DOCS_FILES=CHANGELOG.txt + +CONTENT_FOLDERS=images include languages style + +# Common to all packages +INSTALL?=install -D +INSTALL_DIR?=install -d +APP_DIR?=/usr/share/$(APP_NAME) +CONF_DIR?=/etc/$(APP_NAME) +DOC_DIR?=/usr/share/doc/$(APP_NAME) +VAR_DIR?=/var/lib/$(APP_NAME) +PHP_DIR?=/usr/share/php +UNIX_TYPE?=debian + +DESTDIR?="" +D_APP_DIR?=$(DESTDIR)/usr/share/$(APP_NAME) +D_CONF_DIR?=$(DESTDIR)/etc/$(APP_NAME) +D_DOC_DIR?=$(DESTDIR)/usr/share/doc/$(APP_NAME) +D_VAR_DIR?=$(DESTDIR)/var/lib/$(APP_NAME) + +PHP_RIGHTS=0644 +NORMAL_FOLDER=0775 + +default: + @echo "******************************************************************" + @echo "******* Error: there is no default target in this Makefile! ******" + @echo "******************************************************************" + @echo "DESTDIR="$(DESTDIR) + @echo "APP_DIR="$(APP_DIR) + @echo "CONF_DIR="$(CONF_DIR) + @echo "DOC_DIR="$(DOC_DIR) + @echo "VAR_DIR="$(VAR_DIR) + @echo "CURDIR="$(CURDIR) + @echo "INSTALL="$(INSTALL) + @echo "INSTALL_DIR="$(INSTALL_DIR) + @echo "" + @exit 1 + +install: + @echo "Running make install..." + # Install the app + @for i in $(WEB_FILES) ; do $(INSTALL) -m $(PHP_RIGHTS) $$i $(D_APP_DIR)/$$i ; done + # Copy the image folder + for i in $(CONTENT_FOLDERS) ; do \ + cp -rfv $$i $(D_APP_DIR) ; \ + done + ln -s ../../javascript/extjs/resources/images/default $(D_APP_DIR)/images/default + + for i in $(EXTJS3_EXT) ; do $(INSTALL) -m $(PHP_RIGHTS) $$i $(D_APP_DIR)/$$i ; done + + ################################################################## + # Link the embedded libraries with their OS packaged replacement # + ################################################################## + # Strange behavior of the app + ln -s ../.. $(D_APP_DIR)/usr + # Ext JS + ln -s ../../javascript/extjs $(D_APP_DIR)/scripts/extjs3 + # Edit-area + ln -s ../../javascript/edit-area $(D_APP_DIR)/scripts/editarea + # YUI + ln -s ../../javascript/yui $(D_APP_DIR)/scripts/yui + # The libraries folder + $(INSTALL_DIR) -m $(NORMAL_FOLDER) $(D_APP_DIR)/libraries + # Setup of links for the PEAR and other libs that were embedded in eXtplorer + # PEAR.php itself + ln -s ../../php/PEAR.php $(D_APP_DIR)/libraries/PEAR.php + ln -s ../../php/System.php $(D_APP_DIR)/libraries/System.php + # Service/JSON + ln -s ../../php/Services/JSON.php $(D_APP_DIR)/libraries/JSON.php + # php-geshi + ln -s ../../php-geshi $(D_APP_DIR)/libraries/geshi + # Net_FTP + ln -s ../../php/Net/FTP.php $(D_APP_DIR)/libraries/FTP.php + ln -s ../../php/Net/FTP $(D_APP_DIR)/libraries/FTP + # Archive_Tar + ln -s ../../php/Archive/Tar.php $(D_APP_DIR)/libraries/Tar.php + # Console_Getopt + ln -s ../../php/Console $(D_APP_DIR)/libraries/Console + # Auth + $(INSTALL_DIR) -m $(NORMAL_FOLDER) $(D_APP_DIR)/libraries/Auth + ln -s ../../../php/Auth/Auth.php $(D_APP_DIR)/libraries/Auth/Auth.php + $(INSTALL_DIR) -m $(NORMAL_FOLDER) $(D_APP_DIR)/libraries/Auth/HTTP + ln -s ../../../../php/Auth/HTTP.php $(D_APP_DIR)/libraries/Auth/HTTP/HTTP.php + # HTTP_WebDAV_Client + ln -s ../../php/HTTP $(D_APP_DIR)/libraries/HTTP + # MIME_Type + ln -s ../../php/MIME $(D_APP_DIR)/libraries/MIME + # The inputfilter class + #ln -s ../../php/inputfilter/class.inputfilter_clean.php $(D_APP_DIR)/libraries/inputfilter.php + + ############################################## + # Manage the config folder in /etc/extplorer # + ############################################## + @for i in $(CONF_FILES) ; do $(INSTALL) -m $(PHP_RIGHTS) config/$$i $(D_CONF_DIR)/$$i ; done + @ln -s /etc/extplorer $(D_APP_DIR)/config + + ########################### + # Make the ftp_tmp folder # + ########################### + @$(INSTALL) -m $(PHP_RIGHTS) ftp_tmp/index.html $(D_VAR_DIR)/ftp_tmp/index.html + @ln -s /var/lib/extplorer/ftp_tmp $(D_APP_DIR)/ftp_tmp + + #################### + # Install the docs # + #################### + $(INSTALL) -m $(PHP_RIGHTS) CHANGELOG.txt $(D_DOC_DIR)/changelog + gzip -9 $(D_DOC_DIR)/changelog debian/patches/CVE-2016-4313.patch0000664000000000000000000000246412754437070013252 0ustar --- a/libraries/Archive/adapter/zip.php +++ b/libraries/Archive/adapter/zip.php @@ -187,6 +187,9 @@ if( substr( $this->_metadata[$i]['name'], - 1, 1 ) != '/' && substr( $this->_metadata[$i]['name'], - 1, 1 ) != '\\' ) { $buffer = $this->_getFileData( $i ) ; $path = extPath::clean( $destination . DS . $this->_metadata[$i]['name'] ) ; + if( strpos($path, '..') !== false ) { + return PEAR::raiseError( 'Use of relative paths not permitted' ) ; + } // Make sure the destination folder exists if( ! extMkdirR( dirname( $path ) ) ) { return PEAR::raiseError( 'Unable to create destination' ) ; @@ -222,6 +225,9 @@ if( zip_entry_open( $zip, $file, "r" ) ) { if( substr( zip_entry_name( $file ), strlen( zip_entry_name( $file ) ) - 1 ) != "/" ) { $buffer = zip_entry_read( $file, zip_entry_filesize( $file ) ) ; + if( strpos($destination . DS . zip_entry_name( $file ), '..') !== false ) { + return PEAR::raiseError( 'Use of relative paths not permitted' ) ; + } if( !extMkdirR(dirname($destination . DS . zip_entry_name( $file ))) || file_put_contents( $destination . DS . zip_entry_name( $file ), $buffer ) === false ) { return PEAR::raiseError( 'Unable to write entry: '.$destination . DS. zip_entry_name( $file ) ) ; } debian/patches/upstream-fix-for-XSR-problem.patch0000664000000000000000000000510112040544417017156 0ustar Description: Fixes an XSS if user is logged. John Leitch has discovered a vulnerability in eXtplorer, which can be exploited by malicious people to conduct cross-site request forgery attacks. . The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. create an administrative user by tricking an administrator into visiting a malicious web site while being logged-in to the application. . More info can be found at: * http://secunia.com/advisories/44066/ * http://www.autosectools.com/Advisories/eXtplorer.2.1.RC3_Cross-site.Request.Forgery_174.html Origin: upstream Forwarded: not-needed Reviewed-By: Thomas Goirand Last-Update: <2012-06-22> --- extplorer-2.1.0b6+dfsg.2.orig/fetchscript.php +++ extplorer-2.1.0b6+dfsg.2/fetchscript.php @@ -208,7 +208,7 @@ http_conditionalRequest( $newest_mdate ) // here we need to send the script or stylesheet $processed_files = 0; for( $i = 0; $i < $countFiles; $i++ ) { - $file = $files[$i]; + $file = addslashes($files[$i]);// fix by colonelxc $subdir = $subdirs[$i]; $dir = realpath( $base_dir . '/' . $subdir ); --- extplorer-2.1.0b6+dfsg.2.orig/include/header.php +++ extplorer-2.1.0b6+dfsg.2/include/header.php @@ -33,8 +33,9 @@ if( !defined( '_JEXEC' ) && !defined( '_ * This is the file, which prints the header row with the Logo */ function show_header($dirlinks='') { - $url = str_replace( '&dir=', '&ignore=', $_SERVER['REQUEST_URI'] ); - $url = str_replace('&file_mode=', '', $url ); + $url = htmlentities(str_replace( array('&dir=', '&action=', '&file_mode='), + array('&a=','&b=','&c='), + $_SERVER['REQUEST_URI'] ), ENT_QUOTES ); $url_appendix = strpos($url, '?') === false ? '?' : '&'; @@ -55,7 +56,7 @@ function show_header($dirlinks='') { } echo ''; if( is_object( $GLOBALS['_VERSION'] ) || class_exists( 'jversion')) { - echo "Back to ".( !empty($GLOBALS['_VERSION']->PRODUCT) ? @$GLOBALS['_VERSION']->PRODUCT : 'Joomla!' ).''; + echo 'Back to '.( !empty($GLOBALS['_VERSION']->PRODUCT) ? @$GLOBALS['_VERSION']->PRODUCT : 'Joomla!' ).''; } else { echo ext_selectList('language_selector', $GLOBALS['language'], get_languages(), 1, '', 'onchange="document.location.href=\''.$GLOBALS['script_name'].'?lang=\' + this.options[this.selectedIndex].value;"'); debian/copyright0000664000000000000000000002027512040544417011132 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: eXtplorer Upstream-Contact: Soeren Eberhardt Source: http://extplorer.sourceforge.net/ Files: debian/* Makefile Copyright: (c) 2009, Thomas Goirand License: LGPL-2.1+ Files: scripts/extjs3-ext/ux.swfupload/* Copyright: (c) 2006-2007 Lars Huring, Olov Nilzxn and Mammon Media (c) 2007-2010 Jake Roberts License: MIT Files: libraries/SSH2.php Copyright: (c) 2008, Bas Weermann http://www.php.net/manual/de/function.ssh2-sftp.php#83174 (c) 2009, Soeren Eberhardt License: GPL-2+-and-MPL-1.1 Files: libraries/Archive/path.php libraries/Archive/folder.php libraries/Archive/file.php libraries/Archive/archive.php libraries/Archive/adapter/zip.php Copyright: (C) 2005 - 2008 Open Source Matters. All rights reserved. (c) 2009, Soeren Eberhardt License: GPL-2 File: libraries/inputfilter.php Copyright: (c) Daniel Morris with contribution from: (c) Gianpaolo Racca (c) Ghislain Picard (c) Marco Wandschneider (c) Chris Tobin and Andrew Eddie (c) Louis Landry (c) 2007-2009, Soeren Eberhardt License: GPL-2 Files: webdav.php webdav_authentication.php Copyright: (c) 2008-2009, Soeren Eberhardt (c) 2008-2009, Vincent JAULIN License: GPL-2 Files: scripts/extjs3-ext/ux.swfupload/SWFUpload.js Copyright: (c) 2006-2007 Lars Huring, Olov Nilzen and Mammon Media (c) 2007-2008, Jake Roberts (c) 2008-2009, Soeren Eberhardt License: MIT Files: libraries/lib_zip.php include/admin.php include/archive.php include/bookmarks.php libraries/chmod.php libraries/copy_move.php libraries/delete.php libraries/download.php libraries/edit.php libraries/extract.php libraries/ftp_authentication.php libraries/functions.php libraries/header.php libraries/init.php libraries/list.php libraries/login.php libraries/mkitem.php libraries/rename.php libraries/result.class.php libraries/search.php libraries/upload.php libraries/users.php libraries/authentication/extplorer.php libraries/authentication/ftp.php libraries/authentication/ssh2.php admin.extplorer.php extplorer.php extplorer.init.php extplorer.list.php index.php Copyright: (c) 2003, The QuiX project quix@free.fr (c) 2009, Soeren Eberhardt License: MPL-and-GPL-2 Files: * Copyright: (c) 2009, Soeren Eberhardt License: MPL-and-GPL-2 License: LGPL-2.1+ This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. . This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. . You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA . On Debian systems, the complete text of the GNU Lesser General Public License (LGPL) may be found in /usr/share/common-licenses/LGPL-2.1 License: MIT Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. . You may obtain a copy of the License at: http://www.opensource.org/licenses/mit-license.php License: GPL-2+-and-MPL-1.1 This file is derived from the work of Bas Weermann as published at: http://www.php.net/manual/de/function.ssh2-sftp.php#83174 . Copyright notice for the MPL 1.1: . The contents of this file are subject to the Mozilla Public License Version 1.1 (the "License"); you may not use this file except in compliance with the License. . Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the specific language governing rights and limitations under the License. . You may obtain a copy of the License at http://www.mozilla.org/MPL/ . Copyright notice for the GPL-2+: . This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA . On Debian systems, the complete text of the GNU General Public License (GPL v2) may be found in /usr/share/common-licenses/GPL-2. License: GPL-2 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA . On Debian systems, the complete text of the GNU General Public License (GPL) may be found in /usr/share/common-licenses/GPL. License: MPL-and-GPL-2 The Initial Developer of the Original Code is The QuiX project, and is released into a dual license. So eXtplorer is released under a dual-license: You can choose wether you want to use eXtplorer under the Mozilla Public License (MPL 1.1) or under the GNU General Public License (GNU/GPL). . MPL 1.1: . The contents of this file are subject to the Mozilla Public License Version 1.1 (the "License"); you may not use this file except in compliance with the License. . Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the specific language governing rights and limitations under the License. . You may obtain a copy of the License at http://www.mozilla.org/MPL/, or in this package in /usr/share/doc/extplorer/LICENSE_MPL.txt . Copyright notice for GPL: . This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA debian/rules0000775000000000000000000000122412040544417010250 0ustar #!/usr/bin/make -f build-arch: build build-indep: build build: clean: dh_testdir dh_testroot dh_clean install: dh_testdir dh_testroot dh_clean $(MAKE) install DESTDIR=$(CURDIR)/debian/extplorer cp config/.htusers.php $(CURDIR)/debian/extplorer/usr/share/doc/extplorer/example.dot.htusers.php binary-indep: install dh_testdir dh_testroot dh_installchangelogs CHANGELOG.txt dh_installdocs README.txt LICENSE_MPL.txt dh_install dh_installdebconf dh_compress dh_fixperms dh_installdeb dh_gencontrol dh_md5sums dh_builddeb binary-arch: install binary: binary-indep binary-arch .PHONY: build clean binary-indep binary-arch binary install debian/docs0000664000000000000000000000002512040544417010041 0ustar debian/README.Debian debian/changelog0000664000000000000000000001012513151371122011035 0ustar extplorer (2.1.0b6+dfsg.3-4+deb7u5build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian -- Steve Beattie Tue, 29 Aug 2017 16:01:38 -0700 extplorer (2.1.0b6+dfsg.3-4+deb7u5) wheezy-security; urgency=high * Non-maintainer upload by the Wheezy LTS Team. * CVE-2017-12756 Fix command inject in transfer from another server in extplorer 2.1.9 and prior allows attacker to inject command via the userfile[0] parameter. -- Thorsten Alteholz Sun, 13 Aug 2017 16:03:02 +0200 extplorer (2.1.0b6+dfsg.3-4+deb7u4) wheezy-security; urgency=high * CVE-2016-4313: Fix archive traversal exploit in .zip extraction. The unzip/extract feature allowed for path traversal as decompressed files can be placed outside of the intended target directory if the archive content contained "../" characters. -- Chris Lamb Mon, 15 Aug 2016 23:09:16 +0100 extplorer (2.1.0b6+dfsg.3-4+deb7u3) wheezy-security; urgency=high * Non-maintainer upload by the Wheezy LTS Team. * CVE-2015-5660 Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code. -- Thorsten Alteholz Thu, 12 May 2016 17:03:02 +0200 extplorer (2.1.0b6+dfsg.3-4+deb7u2) wheezy-security; urgency=high * Non-maintainer upload by the Wheezy LTS Team. * Multiple cross-site scripting (XSS) vulnerabilities in eXtplorer before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2015-0896 (Closes: #783231) -- Thorsten Alteholz Tue, 08 Mar 2016 18:03:02 +0100 extplorer (2.1.0b6+dfsg.3-4+deb7u1) wheezy-security; urgency=low * Upstream fix for XSS, path traversal and auth vulnerabilities. -- Thomas Goirand Wed, 09 Oct 2013 16:52:17 +0000 extplorer (2.1.0b6+dfsg.3-4) unstable; urgency=low * Sets the stick bit on /var/lib/extplorer/ftp_tmp (Closes: #683649). -- Thomas Goirand Sat, 20 Oct 2012 15:51:50 +0000 extplorer (2.1.0b6+dfsg.3-3) unstable; urgency=high * Fixes an Cross Site Request forgery security problem if user is logged by applyting upstream patch (Closes: #678737). * Bumps to compat level 8 and debhelper 8. * Added build-arch and build-indep targets in debian/rules. * Standards-Version is now 3.9.3. * Now uses format 1.0 for debian/copyright. * Removed leading article in short desc. -- Thomas Goirand Fri, 22 Jun 2012 13:48:15 +0000 extplorer (2.1.0b6+dfsg.3-2) unstable; urgency=low * Renamed the Makefile patch and added the .swf removal patch to it, which makes now extplorer build correctly (Closes: #643110). -- Thomas Goirand Thu, 20 Oct 2011 13:16:45 +0000 extplorer (2.1.0b6+dfsg.3-1) unstable; urgency=low * Added upstream fix for *not* displaying the admin icone (Closes: #600929). -- Thomas Goirand Sun, 20 Mar 2011 14:21:11 +0800 extplorer (2.1.0b6+dfsg.2-1) unstable; urgency=low * Modified the debian/copyright to include the swfupload copyright-holder. (Closes: #592359). * Seems the swf file wasn't properly removed (maybe because of a Git usage mistake), this time it's ok. -- Thomas Goirand Tue, 31 Aug 2010 21:16:18 +0800 extplorer (2.1.0b6+dfsg.1-1) unstable; urgency=low * Removed upstream swf file that didn't build from source (Closes: #591968) * Now depends on libapache2-mod-php5 | php5-cgi (Closes: #591947) * Standards-Version is now 8.9.1. -- Thomas Goirand Mon, 09 Aug 2010 13:52:53 +0800 extplorer (2.1.0b6+dfsg-2) unstable; urgency=low * Added some explanations on how to setup extplorer in the README.Debian. * Added /usr/share/doc/extplorer/example.dot.htusers.php * Added Vcs-Browser field. -- Thomas Goirand Thu, 15 Jul 2010 04:27:12 +0800 extplorer (2.1.0b6+dfsg-1) unstable; urgency=low * Initial release. (Closes: #561872) -- Thomas Goirand Mon, 05 Jul 2010 19:53:12 +0800 debian/gbp.conf0000664000000000000000000000016412040544417010611 0ustar [DEFAULT] upstream-branch = upstream-sid debian-branch = debian-sid [git-buildpackage] export-dir = ../build-area/ debian/README.sources0000664000000000000000000000301312040544417011530 0ustar Other licenses: eXtplorer embeds loads of libraries in its original upstream source package. Some packages were even some PHP pear packages carying some licenses that are usable in Debian only for PHP itself. That means that, even if the license PHP 2.02 could work for a PEAR package in the Debian distribution, this couldn't even in the Debian source package of eXtplorer. For this reason, the maintainers of this package decided to create a +dfsg version of the upstream code deleting unwanted libraries. All the libraries that could be packaged separately, outside of eXtplorer have been totally removed using the available shell script debian/create_dfsg_from_upstream that is to be run right after extraction of the upstream binary. Here is a list of what has been removed from the upstream source, once scripts.tar.gz has been extracted, together with the corresponding Debian package: scripts/editarea: libjs-edit-are scripts/extjs3: libjs-extjs scripts/yui: libjs-yui libraries/Auth, libraries/HTTP: php-auth-http libraries/Console, libraries/PEAR.php, libraries/Tar.php libraries/System.php: php-pear libraries/geshi: php-geshi libraries/compat.php41x.php, libraries/compat.php42x.php libraries/compat.php50x.php: php-compat libraries/JSON.php: php-services-json libraries/MIME: php-mime-type libraries/FTP.php, libraries/FTP: php-net-ftp scripts/extjs3-ext/ux.swfupload/swfupload.swf swf file not included -- Thomas Goirand Fri, 22 Jun 2012 13:48:15 +0000 debian/postinst0000664000000000000000000000034612040544417011002 0ustar #!/bin/sh set -e mkdir -p /var/lib/extplorer/ftp_tmp chmod 1777 /var/lib/extplorer/ftp_tmp touch /etc/extplorer/.htusers.php chmod 664 /etc/extplorer/.htusers.php chgrp www-data /etc/extplorer/.htusers.php #DEBHELPER# exit 0 debian/create_dfsg_from_upstream0000775000000000000000000000231112040544417014325 0ustar #!/bin/sh set -e set -x VERS=2.1.0b6+dfsg PKGNAME=extplorer MYCWD=`pwd` # Create a temp folder to create the dfsg version in if [ -e /etc/redhat-release ] ; then MKTEMP="mktemp -d -p /tmp" else MKTEMP="mktemp -d -t" fi TMPDIR=`${MKTEMP} ${PKGNAME}.XXXXXX` DIRNAME=${PKGNAME}-${VERS} mkdir -p ${TMPDIR}/${DIRNAME} # Copy all in the dest dir cp -auxf * ${TMPDIR}/${DIRNAME} cd ${TMPDIR}/${DIRNAME} # Extract the scripts.tar.gz, delete Debian packaged libs, fix perms tar -xzf scripts.tar.gz rm -rf scripts/editarea scripts/extjs3 scripts/yui scripts.tar.gz chmod 644 scripts/*.php scripts/index.html scripts/extjs3-ext/*/* chmod 755 scripts scripts/extjs3-ext scripts/extjs3-ext/* rm -rf debian .git # Remove php-* Debian packaged libs rm -rf libraries/Auth libraries/Console libraries/geshi libraries/HTTP libraries/compat.php41x.php libraries/compat.php42x.php libraries/compat.php50x.php rm -rf libraries/JSON.php libraries/MIME libraries/PEAR.php libraries/Tar.php libraries/System.php rm -rf libraries/FTP.php libraries/FTP # Create the archive, move it to dest, delete temp folder cd .. tar -czf ${PKGNAME}_${VERS}.orig.tar.gz ${DIRNAME} cd ${MYCWD} mv ${TMPDIR}/${PKGNAME}_${VERS}.orig.tar.gz .. rm -rf ${TMPDIR}